There is a lot of information swirling around out there on what to do with the latest Spectre/Meltdown vulnerabilities. Whereas I can’t tell you how to solve the vulnerabilities for for every Hardware and Operating System combination, I can tell you how to get your Hyper-V environments protected. You might be interested in every fine detail of what is happening or you may want to just find out how to get protected as quick as possible. If you are interested in the latter, then this is the blog to start with. Here are the no nonsense steps that will protect your Hyper-V hosts. I will be making a second post for the VMs running on these hosts.
Windows 2012 R2 and Windows 2016 Hosts
All Associated Files for Fixing and Testing for Spectre/Meltdown can be found HERE:
- Make 3 Registry Entries and Reboot
- Manually through the following reg.exe add entries: See Batch File In (https://1drv.ms/f/s!AkBgjSJPQpxUnLQwzcraOFu8i5CsuA)
reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” /v FeatureSettingsOverride /t REG_DWORD /d 0 /f
reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization” /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d “1.0” /f
-
- OR through Group Policy Registry Preference if you want to get to a baseline throughout your environment across all your hosts.
- Install Patch for your Operating system and Reboot:
- Windows Update Catalogue:
- Install firmware from your Vendor: Common ones in my Environment.* As of the writing of this article, the initial BIOS updates have all been recalled due to instability. You can however keep monitoring the below links for HP and Dell, or find your particular vendors update, to see when then next “stable” release of your Host BIOS will be available.
* Other Firmware Modules that I use can be found here: Removed Due to Issues with first version of release firmware. I will include more here once the final revisions have been released.
https://1drv.ms/f/s!AkBgjSJPQpxUnLQwzcraOFu8i5CsuA
For links to your HP or Dell hosts updated firmware for the Spectre/Meltdown Vulnerability, you can check the links below
HP: https://h22208.www2.hpe.com/eginfolib/securityalerts/SCAM/Side_Channel_Analysis_Method.html
Testing:
- Download the Following Test Scripts from HERE and place them on a folder on your Hyper-V host.
- SpeculationControl.psd1
- SpeculationControl.psm1
- SpeculationControl-runme.ps1
- Open PowerShell and Change your Directory to the location of your scripts i.e. CD \Spectre_Meltdown
- Run Import-Module .\SpeculationControl.psd1
- Run Get-SpeculationControlSettings
- If patched correctly, your results should look like the screenshot below.
If it looks like this, with lots of green, you are on the right track. Check back to see if there are any other additions that come out in the next few days/weeks.
Sources for More Information:
https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/CVE-2017-5715-and-hyper-v-vms
Support Guidance:
VirtuallyAware 